Insider attacks

Insider attacks are attacks on a computer system from an 'insider', someone who already has some privileges and who misuses these to gain unauthorized access to the system or to cause some other kind of damage to the system. These attacks are obviously more difficult to counter than external attacks from users who are not already known to the system. This is particularly true, when the insider has detailed knowledge of the system.

Insider attacks do not usually involve damage or corruption of data, unless they are perpetrated by someone who has just been fired and who wishes some revenge on the company. They are more likely to involve turning of checks so that some other behaviour is not revealed or accessing confidential information which is then sold to someone else.

An example of a situation where checks were bypassed by an insider was a major incident at a French bank where a trader lost 4.9 billion euros. The scale of loss was due to the fact that he had turned off checks on trading.

Outsiders with malicious intent may use social engineering to trap users into revealing confidential information such as their login credentials. With this information, they then become 'proxy insiders' and it is practically impossible to distinguish these attacks from other insider attacks. There have been several reported incidents of call centre staff selling confidential information about customers.

Logging mechanisms which track both the location and the identity of users and log analysis programs may also be helpful in detecting insider attacks as they allow security breaches to be detected. By making public that these logs are maintained, you may deter some insiders from attempting attacks on the system as they may judge that the risk is not worthwhile. The use of encryption may also be helpful where an insider not only needs to be authenticated but also requires the key to decode the information.

(c) Ian Sommerville 2008